]> git.saurik.com Git - apple/security.git/blob - OSX/sec/ipc/securityd_client.h
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-59306.41.2.tar.gz
[apple/security.git] / OSX / sec / ipc / securityd_client.h
1 /*
2 * Copyright (c) 2007-2018 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23 #ifndef _SECURITYD_CLIENT_H_
24 #define _SECURITYD_CLIENT_H_
25
26 #include <stdint.h>
27
28 #include "keychain/securityd/SecKeybagSupport.h"
29
30 #include <Security/SecTrust.h>
31 #include <Security/SecTask.h>
32 #ifndef MINIMIZE_INCLUDES
33
34 #pragma clang diagnostic push
35 #pragma clang diagnostic ignored "-Wfour-char-constants"
36 # include "OSX/sec/Security/SecTrustStore.h"
37 #pragma clang diagnostic pop
38
39 #else
40 typedef struct __SecTrustStore *SecTrustStoreRef;
41 //# ifndef _SECURITY_SECCERTIFICATE_H_
42 //typedef struct __SecCertificate *SecCertificateRef;
43 //# endif // _SECURITY_SECCERTIFICATE_H_
44 #endif // MINIMIZE_INCLUDES
45
46 #include "OSX/utilities/SecAKSWrappers.h"
47
48 #include <CoreFoundation/CFArray.h>
49 #include <CoreFoundation/CFDictionary.h>
50 #include <CoreFoundation/CFError.h>
51
52 #include "keychain/SecureObjectSync/SOSCloudCircle.h"
53 #include "keychain/SecureObjectSync/SOSPeerInfo.h"
54 #include "keychain/SecureObjectSync/SOSRing.h"
55
56 #include <xpc/xpc.h>
57 #include <CoreFoundation/CFXPCBridge.h>
58
59 #include <TargetConditionals.h>
60
61 #if TARGET_OS_OSX
62 #define kSecuritydXPCServiceName "com.apple.securityd.xpc"
63 #define kSecuritydSystemXPCServiceName "com.apple.securityd.system.xpc"
64 #define kTrustdAgentXPCServiceName "com.apple.trustd.agent"
65 #define kTrustdXPCServiceName "com.apple.trustd"
66 #else
67 #define kSecuritydXPCServiceName "com.apple.securityd"
68 #define kTrustdAgentXPCServiceName "com.apple.trustd"
69 #define kTrustdXPCServiceName "com.apple.trustd"
70 #endif // *** END TARGET_OS_OSX ***
71
72 #define kSecuritydGeneralServiceName "com.apple.securityd.general"
73 #define kSecuritydSOSServiceName "com.apple.securityd.sos"
74
75 //
76 // MARK: XPC Information.
77 //
78
79 #if TARGET_OS_IPHONE
80 extern CFStringRef sSecXPCErrorDomain;
81 #endif
82
83 extern const char *kSecXPCKeyOperation;
84 extern const char *kSecXPCKeyResult;
85 extern const char *kSecXPCKeyEndpoint;
86 extern const char *kSecXPCKeyError;
87 extern const char *kSecXPCKeyPeerInfoArray;
88 extern const char *kSecXPCKeyUserLabel;
89 extern const char *kSecXPCKeyBackup;
90 extern const char *kSecXPCKeyKeybag;
91 extern const char *kSecXPCKeyFlags;
92 extern const char *kSecXPCKeyUserPassword;
93 extern const char *kSecXPCKeyEMCSBackup;
94 extern const char *kSecXPCKeyDSID;
95 extern const char *kSecXPCKeyViewName;
96 extern const char *kSecXPCKeyViewActionCode;
97 extern const char *kSecXPCKeyNewPublicBackupKey;
98 extern const char *kSecXPCKeyRecoveryPublicKey;
99 extern const char *kSecXPCKeyIncludeV0;
100 extern const char *kSecXPCKeyEnabledViewsKey;
101 extern const char *kSecXPCKeyDisabledViewsKey;
102 extern const char *kSecXPCKeyEscrowLabel;
103 extern const char *kSecXPCKeyTriesLabel;
104 extern const char *kSecXPCKeyFileDescriptor;
105 extern const char *kSecXPCKeyAccessGroups;
106 extern const char *kSecXPCKeyClasses;
107 extern const char *kSecXPCKeyNormalizedIssuer;
108 extern const char *kSecXPCKeySerialNumber;
109 extern const char *kSecXPCKeyBackupKeybagIdentifier;
110 extern const char *kSecXPCKeyBackupKeybagPath;
111
112 //
113 // MARK: Dispatch macros
114 //
115
116 #define SECURITYD_XPC(sdp, wrapper, ...) ((gSecurityd && gSecurityd->sdp) ? gSecurityd->sdp(__VA_ARGS__) : wrapper(sdp ## _id, __VA_ARGS__))
117 #define TRUSTD_XPC(sdp, wrapper, ...) ((gTrustd && gTrustd->sdp) ? gTrustd->sdp(__VA_ARGS__) : wrapper(sdp ## _id, __VA_ARGS__))
118
119 #define TRUSTD_XPC_ASYNC(sdp, wrapper, q, h, ...) do { \
120 if (gTrustd != NULL && gTrustd->sdp != NULL) { \
121 dispatch_async(q, ^{ \
122 CFErrorRef _error = NULL; \
123 SecTrustResultType _tr = gTrustd->sdp(__VA_ARGS__, &_error); \
124 h(_tr, _error); \
125 }); \
126 } else { \
127 wrapper(q, h, sdp ## _id, __VA_ARGS__); \
128 } \
129 } while (0)
130
131 //
132 // MARK: Object to XPC format conversion.
133 //
134
135
136 //
137 // MARK: XPC Interfaces
138 //
139
140 extern const char *kSecXPCKeyPeerInfo;
141 extern const char *kSecXPCLimitInMinutes;
142 extern const char *kSecXPCKeyQuery;
143 extern const char *kSecXPCKeyAttributesToUpdate;
144 extern const char *kSecXPCKeyDomain;
145 extern const char *kSecXPCKeyDigest;
146 extern const char *kSecXPCKeyCertificate;
147 extern const char *kSecXPCKeySettings;
148 extern const char *kSecXPCPublicPeerId; // Public peer id
149 extern const char *kSecXPCOTRSession; // OTR session bytes
150 extern const char *kSecXPCData; // Data to process
151 extern const char *kSecXPCOTRReady; // OTR ready for messages
152 extern const char *kSecXPCKeyViewName;
153 extern const char *kSecXPCKeyViewActionCode;
154 extern const char *kSecXPCKeyHSA2AutoAcceptInfo;
155 extern const char *kSecXPCKeyString;
156 extern const char *kSecXPCKeyArray;
157 extern const char *kSecXPCKeySet;
158 extern const char *kSecXPCKeySet2;
159 extern const char *kSecXPCVersion;
160 extern const char *kSecXPCKeySignInAnalytics;
161 extern const char *kSecXPCKeyReason;
162
163 //
164 // MARK: Mach port request IDs
165 //
166 enum SecXPCOperation {
167 sec_item_add_id = 0,
168 sec_item_copy_matching_id = 1,
169 sec_item_update_id = 2,
170 sec_item_delete_id = 3,
171 // trust_store_for_domain -- NOT an ipc
172 sec_trust_store_contains_id = 4,
173 sec_trust_store_set_trust_settings_id = 5,
174 sec_trust_store_remove_certificate_id = 6,
175 // remove_all -- NOT an ipc
176 sec_delete_all_id = 7,
177 sec_trust_evaluate_id = 8,
178 // Any new items MUST be added below here
179 // This allows updating roots on a device, since SecTrustEvaluate must continue to work
180 sec_keychain_backup_id,
181 sec_keychain_restore_id,
182 sec_keychain_backup_syncable_id,
183 sec_keychain_restore_syncable_id,
184 sec_item_backup_copy_names_id,
185 sec_item_backup_handoff_fd_id,
186 sec_item_backup_set_confirmed_manifest_id,
187 sec_item_backup_restore_id,
188 sec_keychain_sync_update_message_id,
189 sec_ota_pki_trust_store_version_id,
190 sec_ota_pki_asset_version_id,
191 sec_otr_session_create_remote_id,
192 sec_otr_session_process_packet_remote_id,
193 kSecXPCOpOTAPKIGetNewAsset,
194 kSecXPCOpOTAGetEscrowCertificates,
195 kSecXPCOpOTAPKICopyTrustedCTLogs,
196 kSecXPCOpOTAPKICopyCTLogForKeyID,
197 kSecXPCOpProcessUnlockNotification,
198 kSecXPCOpProcessSyncWithAllPeers,
199 kSecXPCOpRollKeys,
200 sec_add_shared_web_credential_id,
201 sec_copy_shared_web_credential_id,
202 sec_get_log_settings_id,
203 sec_set_xpc_log_settings_id,
204 sec_set_circle_log_settings_id,
205 soscc_EnsurePeerRegistration_id,
206 kSecXPCOpRequestEnsureFreshParameters,
207 kSecXPCOpGetAllTheRings,
208 kSecXPCOpApplyToARing,
209 kSecXPCOpWithdrawlFromARing,
210 kSecXPCOpEnableRing,
211 kSecXPCOpRingStatus,
212 kSecXPCOpRequestDeviceID,
213 kSecXPCOpSetDeviceID,
214 kSecXPCOpHandleIDSMessage,
215 kSecXPCOpSyncWithKVSPeer,
216 kSecXPCOpSyncWithIDSPeer,
217 kSecXPCOpSendIDSMessage,
218 kSecXPCOpPingTest,
219 kSecXPCOpIDSDeviceID,
220 kSecXPCOpSyncWithKVSPeerIDOnly,
221 // any process using an operation below here is required to have entitlement keychain-cloud-circle
222 kSecXPCOpTryUserCredentials,
223 kSecXPCOpSetUserCredentials,
224 kSecXPCOpSetUserCredentialsAndDSID,
225 kSecXPCOpSetUserCredentialsAndDSIDWithAnalytics,
226 kSecXPCOpCanAuthenticate,
227 kSecXPCOpPurgeUserCredentials,
228 kSecXPCOpDeviceInCircle,
229 kSecXPCOpRequestToJoin,
230 kSecXPCOpRequestToJoinWithAnalytics,
231 kSecXPCOpRequestToJoinAfterRestore,
232 kSecXPCOpRequestToJoinAfterRestoreWithAnalytics,
233 kSecXPCOpResetToOffering,
234 kSecXPCOpResetToEmpty,
235 kSecXPCOpResetToEmptyWithAnalytics,
236 kSecXPCOpView,
237 kSecXPCOpViewSet,
238 kSecXPCOpViewSetWithAnalytics,
239 kSecXPCOpRemoveThisDeviceFromCircle,
240 kSecXPCOpRemoveThisDeviceFromCircleWithAnalytics,
241 kSecXPCOpRemovePeersFromCircle,
242 kSecXPCOpRemovePeersFromCircleWithAnalytics,
243 kSecXPCOpLoggedOutOfAccount,
244 kSecXPCOpBailFromCircle,
245 kSecXPCOpAcceptApplicants,
246 kSecXPCOpRejectApplicants,
247 kSecXPCOpCopyApplicantPeerInfo,
248 kSecXPCOpCopyValidPeerPeerInfo,
249 kSecXPCOpValidateUserPublic,
250 kSecXPCOpCopyNotValidPeerPeerInfo,
251 kSecXPCOpCopyPeerPeerInfo,
252 kSecXPCOpCopyConcurringPeerPeerInfo,
253 kSecXPCOpCopyGenerationPeerInfo,
254 kSecXPCOpGetLastDepartureReason,
255 kSecXPCOpSetLastDepartureReason,
256 kSecXPCOpCopyIncompatibilityInfo,
257 kSecXPCOpCopyRetirementPeerInfo,
258 kSecXPCOpCopyViewUnawarePeerInfo,
259 kSecXPCOpCopyEngineState,
260 kSecXPCOpCopyMyPeerInfo,
261 kSecXPCOpAccountSetToNew,
262 kSecXPCOpSetNewPublicBackupKey,
263 kSecXPCOpSetBagForAllSlices,
264 kSecXPCOpWaitForInitialSync,
265 kSecXPCOpWaitForInitialSyncWithAnalytics,
266 kSecXPCOpCopyYetToSyncViews,
267 kSecXPCOpSetEscrowRecord,
268 kSecXPCOpGetEscrowRecord,
269 kSecXPCOpCheckPeerAvailability,
270 kSecXPCOpCopyAccountData,
271 kSecXPCOpDeleteAccountData,
272 kSecXPCOpCopyEngineData,
273 kSecXPCOpDeleteEngineData,
274 kSecXPCOpCopyApplication,
275 kSecXPCOpCopyCircleJoiningBlob,
276 kSecXPCOpJoinWithCircleJoiningBlob,
277 kSecXPCOpKVSKeyCleanup,
278 kSecXPCOpPopulateKVS,
279 kSecXPCOpAccountHasPublicKey,
280 kSecXPCOpAccountIsNew,
281 kSecXPCOpClearKVSPeerMessage,
282 kSecXPCOpRegisterRecoveryPublicKey,
283 kSecXPCOpGetRecoveryPublicKey,
284 kSecXPCOpCopyBackupInformation,
285 kSecXPCOpCopyInitialSyncBlob,
286 /* after this is free for all */
287 kSecXPCOpWhoAmI,
288 kSecXPCOpTransmogrifyToSyncBubble,
289 kSecXPCOpTransmogrifyToSystemKeychain,
290 kSecXPCOpWrapToBackupSliceKeyBagForView,
291 sec_item_update_token_items_id,
292 kSecXPCOpDeleteUserView,
293 sec_trust_store_copy_all_id,
294 sec_trust_store_copy_usage_constraints_id,
295 sec_ocsp_cache_flush_id,
296 sec_delete_items_with_access_groups_id,
297 kSecXPCOpIsThisDeviceLastBackup,
298 sec_keychain_backup_keybag_uuid_id,
299 kSecXPCOpPeersHaveViewsEnabled,
300 kSecXPCOpProcessSyncWithPeers,
301 kSecXPCOpMessageFromPeerIsPending,
302 kSecXPCOpSendToPeerIsPending,
303 sec_item_copy_parent_certificates_id,
304 sec_item_certificate_exists_id,
305 kSecXPCOpBackupKeybagAdd,
306 kSecXPCOpBackupKeybagDelete,
307 kSecXPCOpSFKeychainEndpoint,
308 kSecXPCOpKeychainControlEndpoint,
309 kSecXPCOpNetworkingAnalyticsReport,
310 kSecXPCOpSetCTExceptions,
311 kSecXPCOpCopyCTExceptions,
312 kSecXPCOpOTASecExperimentGetAsset,
313 kSecXPCOpOTASecExperimentGetNewAsset,
314 sec_trust_get_exception_reset_count_id,
315 sec_trust_increment_exception_reset_count_id,
316 };
317
318
319 typedef struct SecurityClient {
320 SecTaskRef task;
321 CFArrayRef accessGroups;
322 bool allowSystemKeychain;
323 bool allowSyncBubbleKeychain;
324 bool isNetworkExtension;
325 bool canAccessNetworkExtensionAccessGroups;
326 uid_t uid;
327 CFDataRef musr;
328 #if (TARGET_OS_IPHONE && !TARGET_OS_SIMULATOR) && TARGET_HAS_KEYSTORE
329 keybag_handle_t keybag;
330 #endif
331 #if TARGET_OS_IPHONE
332 bool inMultiUser;
333 int activeUser;
334 #endif
335 } SecurityClient;
336
337
338 extern SecurityClient * SecSecurityClientGet(void);
339 #if TARGET_OS_IOS
340 void SecSecuritySetMusrMode(bool mode, uid_t uid, int activeUser);
341 void SecSecuritySetPersonaMusr(CFStringRef uuid);
342 #endif
343
344 struct securityd {
345 /* LOCAL KEYCHAIN */
346 bool (*sec_item_add)(CFDictionaryRef attributes, SecurityClient *client, CFTypeRef *result, CFErrorRef* error);
347 bool (*sec_item_copy_matching)(CFDictionaryRef query, SecurityClient *client, CFTypeRef *result, CFErrorRef* error);
348 bool (*sec_item_update)(CFDictionaryRef query, CFDictionaryRef attributesToUpdate, SecurityClient *client, CFErrorRef* error);
349 bool (*sec_item_delete)(CFDictionaryRef query, SecurityClient *client, CFErrorRef* error);
350 bool (*sec_item_delete_all)(CFErrorRef* error);
351 CFArrayRef (*sec_item_copy_parent_certificates)(CFDataRef normalizedIssuer, CFArrayRef accessGroups, CFErrorRef *error);
352 bool (*sec_item_certificate_exists)(CFDataRef normalizedIssuer, CFDataRef serialNumber, CFArrayRef accessGroups, CFErrorRef *error);
353 CFDataRef (*sec_keychain_backup)(SecurityClient *client, CFDataRef keybag, CFDataRef passcode, bool emcs, CFErrorRef* error);
354 bool (*sec_keychain_restore)(CFDataRef backup, SecurityClient *client, CFDataRef keybag, CFDataRef passcode, CFErrorRef* error);
355 bool (*sec_roll_keys)(bool force, CFErrorRef* error);
356 bool (*sec_item_update_token_items)(CFStringRef tokenID, CFArrayRef query, SecurityClient *client, CFErrorRef* error);
357 bool (*sec_delete_items_with_access_groups)(CFArrayRef bundleIDs, SecurityClient *client, CFErrorRef *error);
358 /* SHAREDWEBCREDENTIALS */
359 bool (*sec_add_shared_web_credential)(CFDictionaryRef attributes, SecurityClient *client, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error);
360 bool (*sec_copy_shared_web_credential)(CFDictionaryRef query, SecurityClient *client, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error);
361 /* SECUREOBJECTSYNC */
362 CFDictionaryRef (*sec_keychain_backup_syncable)(CFDictionaryRef backup_in, CFDataRef keybag, CFDataRef passcode, CFErrorRef* error);
363 bool (*sec_keychain_restore_syncable)(CFDictionaryRef backup, CFDataRef keybag, CFDataRef passcode, CFErrorRef* error);
364 CFArrayRef (*sec_item_backup_copy_names)(CFErrorRef *error);
365 int (*sec_item_backup_handoff_fd)(CFStringRef backupName, CFErrorRef *error);
366 bool (*sec_item_backup_set_confirmed_manifest)(CFStringRef backupName, CFDataRef keybagDigest, CFDataRef manifest, CFErrorRef *error);
367 bool (*sec_item_backup_restore)(CFStringRef backupName, CFStringRef peerID, CFDataRef keybag, CFDataRef secret, CFDataRef backup, CFErrorRef *error);
368 CFDataRef (*sec_otr_session_create_remote)(CFDataRef publicPeerId, CFErrorRef* error);
369 bool (*sec_otr_session_process_packet_remote)(CFDataRef sessionData, CFDataRef inputPacket, CFDataRef* outputSessionData, CFDataRef* outputPacket, bool *readyForMessages, CFErrorRef* error);
370 bool (*soscc_TryUserCredentials)(CFStringRef user_label, CFDataRef user_password, CFStringRef dsid, CFErrorRef *error);
371 bool (*soscc_SetUserCredentials)(CFStringRef user_label, CFDataRef user_password, CFErrorRef *error);
372 bool (*soscc_SetUserCredentialsAndDSID)(CFStringRef user_label, CFDataRef user_password, CFStringRef dsid, CFErrorRef *error);
373 bool (*soscc_SetUserCredentialsAndDSIDWithAnalytics)(CFStringRef user_label, CFDataRef user_password, CFStringRef dsid, CFDataRef parentEvent, CFErrorRef *error);
374 bool (*soscc_CanAuthenticate)(CFErrorRef *error);
375 bool (*soscc_PurgeUserCredentials)(CFErrorRef *error);
376 SOSCCStatus (*soscc_ThisDeviceIsInCircle)(CFErrorRef* error);
377 bool (*soscc_RequestToJoinCircle)(CFErrorRef* error);
378 bool (*soscc_RequestToJoinCircleWithAnalytics)(CFDataRef parentEvent, CFErrorRef* error);
379 bool (*soscc_RequestToJoinCircleAfterRestore)(CFErrorRef* error);
380 bool (*soscc_RequestToJoinCircleAfterRestoreWithAnalytics)(CFDataRef parentEvent, CFErrorRef* error);
381 bool (*soscc_RequestEnsureFreshParameters)(CFErrorRef* error);
382 CFStringRef (*soscc_GetAllTheRings)(CFErrorRef *error);
383 bool (*soscc_ApplyToARing)(CFStringRef ringName, CFErrorRef* error);
384 bool (*soscc_WithdrawlFromARing)(CFStringRef ringName, CFErrorRef* error);
385 bool (*soscc_EnableRing)(CFStringRef ringName, CFErrorRef* error);
386 SOSRingStatus (*soscc_RingStatus)(CFStringRef ringName, CFErrorRef* error);
387 bool (*soscc_SetToNew)(CFErrorRef *error);
388 bool (*soscc_ResetToOffering)(CFErrorRef* error);
389 bool (*soscc_ResetToEmpty)(CFErrorRef* error);
390 bool (*soscc_ResetToEmptyWithAnalytics)(CFDataRef parentEvent, CFErrorRef* error);
391 SOSViewResultCode (*soscc_View)(CFStringRef view, SOSViewActionCode action, CFErrorRef *error);
392 bool (*soscc_ViewSet)(CFSetRef enabledViews, CFSetRef disabledViews);
393 bool (*soscc_ViewSetWithAnalytics)(CFSetRef enabledViews, CFSetRef disabledViews, CFDataRef parentEvent);
394 bool (*soscc_RegisterSingleRecoverySecret)(CFDataRef backupSlice, bool forV0Only, CFErrorRef *error);
395 bool (*soscc_RegisterRecoveryPublicKey)(CFDataRef recovery_key, CFErrorRef *error);
396 CFDataRef (*soscc_CopyRecoveryPublicKey)(CFErrorRef *error);
397 bool (*soscc_RemoveThisDeviceFromCircle)(CFErrorRef* error);
398 bool (*soscc_RemoveThisDeviceFromCircleWithAnalytics)(CFDataRef parentEvent, CFErrorRef* error);
399 bool (*soscc_RemovePeersFromCircle)(CFArrayRef peers, CFErrorRef* error);
400 bool (*soscc_RemovePeersFromCircleWithAnalytics)(CFArrayRef peers, CFDataRef parentEvent, CFErrorRef* error);
401 bool (*soscc_LoggedOutOfAccount)(CFErrorRef* error);
402 bool (*soscc_BailFromCircle)(uint64_t limit_in_seconds, CFErrorRef* error);
403 bool (*soscc_AcceptApplicants)(CFArrayRef applicants, CFErrorRef* error);
404 bool (*soscc_RejectApplicants)(CFArrayRef applicants, CFErrorRef* error);
405 SOSPeerInfoRef (*soscc_SetNewPublicBackupKey)(CFDataRef pubKey, CFErrorRef *error);
406 bool (*soscc_ValidateUserPublic)(CFErrorRef* error);
407 CFArrayRef (*soscc_CopyGenerationPeerInfo)(CFErrorRef* error);
408 CFArrayRef (*soscc_CopyApplicantPeerInfo)(CFErrorRef* error);
409 CFArrayRef (*soscc_CopyValidPeerPeerInfo)(CFErrorRef* error);
410 CFArrayRef (*soscc_CopyNotValidPeerPeerInfo)(CFErrorRef* error);
411 CFArrayRef (*soscc_CopyRetirementPeerInfo)(CFErrorRef* error);
412 CFArrayRef (*soscc_CopyViewUnawarePeerInfo)(CFErrorRef* error);
413 CFArrayRef (*soscc_CopyEngineState)(CFErrorRef* error);
414 // Not sure why these are below the last entry in the enum order above, but they are:
415 CFArrayRef (*soscc_CopyPeerInfo)(CFErrorRef* error);
416 CFArrayRef (*soscc_CopyConcurringPeerInfo)(CFErrorRef* error);
417 CFStringRef (*soscc_CopyIncompatibilityInfo)(CFErrorRef* error);
418 enum DepartureReason (*soscc_GetLastDepartureReason)(CFErrorRef* error);
419 bool (*soscc_SetLastDepartureReason)(enum DepartureReason, CFErrorRef* error);
420 CFSetRef (*soscc_ProcessSyncWithPeers)(CFSetRef peerIDs, CFSetRef backupPeerIDs, CFErrorRef* error);
421 SyncWithAllPeersReason (*soscc_ProcessSyncWithAllPeers)(CFErrorRef* error);
422 bool (*soscc_EnsurePeerRegistration)(CFErrorRef* error);
423 CFArrayRef (*sec_keychain_sync_update_message)(CFDictionaryRef update, CFErrorRef *error);
424 CFPropertyListRef (*sec_get_log_settings)(CFErrorRef* error);
425 bool (*sec_set_xpc_log_settings)(CFTypeRef type, CFErrorRef* error);
426 bool (*sec_set_circle_log_settings)(CFTypeRef type, CFErrorRef* error);
427 SOSPeerInfoRef (*soscc_CopyMyPeerInfo)(CFErrorRef*);
428 bool (*soscc_WaitForInitialSync)(CFErrorRef*);
429 bool (*soscc_WaitForInitialSyncWithAnalytics)(CFDataRef parentEvent, CFErrorRef *error);
430 CFArrayRef (*soscc_CopyYetToSyncViewsList)(CFErrorRef*);
431 bool (*soscc_SetEscrowRecords)(CFStringRef escrow_label, uint64_t tries, CFErrorRef *error);
432 CFDictionaryRef (*soscc_CopyEscrowRecords)(CFErrorRef *error);
433 CFDictionaryRef (*soscc_CopyBackupInformation)(CFErrorRef *error);
434 bool (*soscc_PeerAvailability)(CFErrorRef *error);
435 bool (*sosbskb_WrapToBackupSliceKeyBagForView)(CFStringRef viewName, CFDataRef input, CFDataRef* output, CFDataRef* bskbEncoded, CFErrorRef* error);
436 CFDataRef (*soscc_CopyAccountState)(CFErrorRef *error);
437 bool (*soscc_DeleteAccountState)(CFErrorRef *error);
438 CFDataRef (*soscc_CopyEngineData)(CFErrorRef *error);
439 bool (*soscc_DeleteEngineState)(CFErrorRef *error);
440 SOSPeerInfoRef (*soscc_CopyApplicant)(CFErrorRef *error);
441 CFDataRef (*soscc_CopyCircleJoiningBlob)(SOSPeerInfoRef applicant, CFErrorRef *error);
442 CFDataRef (*soscc_CopyInitialSyncData)(SOSInitialSyncFlags flags, CFErrorRef *error);
443 bool (*soscc_JoinWithCircleJoiningBlob)(CFDataRef joiningBlob, PiggyBackProtocolVersion version, CFErrorRef *error);
444 bool (*soscc_SOSCCCleanupKVSKeys)(CFErrorRef *error);
445 bool (*soscc_SOSCCTestPopulateKVSWithBadKeys)(CFErrorRef *error);
446 bool (*soscc_AccountHasPublicKey)(CFErrorRef *error);
447 bool (*soscc_AccountIsNew)(CFErrorRef *error);
448 bool (*soscc_IsThisDeviceLastBackup)(CFErrorRef *error);
449 bool (*soscc_requestSyncWithPeerOverKVS)(CFStringRef peerID, CFDataRef message, CFErrorRef *error);
450 CFBooleanRef (*soscc_SOSCCPeersHaveViewsEnabled)(CFArrayRef views, CFErrorRef *error);
451 bool (*socc_clearPeerMessageKeyInKVS)(CFStringRef peerID, CFErrorRef *error);
452 bool (*soscc_SOSCCMessageFromPeerIsPending)(SOSPeerInfoRef peer, CFErrorRef* error);
453 bool (*soscc_SOSCCSendToPeerIsPending)(SOSPeerInfoRef peer, CFErrorRef* error);
454 CFTypeRef (*soscc_status)(void);
455 /* otherstuff */
456 CFTypeRef secd_xpc_server;
457 };
458
459 extern struct securityd *gSecurityd;
460
461 struct trustd {
462 SecTrustStoreRef (*sec_trust_store_for_domain)(CFStringRef domainName, CFErrorRef* error);
463 bool (*sec_trust_store_contains)(SecTrustStoreRef ts, CFDataRef digest, bool *contains, CFErrorRef* error);
464 bool (*sec_trust_store_set_trust_settings)(SecTrustStoreRef ts, SecCertificateRef certificate, CFTypeRef trustSettingsDictOrArray, CFErrorRef* error);
465 bool (*sec_trust_store_remove_certificate)(SecTrustStoreRef ts, CFDataRef digest, CFErrorRef* error);
466 bool (*sec_truststore_remove_all)(SecTrustStoreRef ts, CFErrorRef* error);
467 SecTrustResultType (*sec_trust_evaluate)(CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, bool keychainsAllowed, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef exceptions, CFArrayRef *details, CFDictionaryRef *info, CFArrayRef *chain, CFErrorRef *error);
468 uint64_t (*sec_ota_pki_trust_store_version)(CFErrorRef* error);
469 uint64_t (*sec_ota_pki_asset_version)(CFErrorRef* error);
470 CFArrayRef (*ota_CopyEscrowCertificates)(uint32_t escrowRootType, CFErrorRef* error);
471 uint64_t (*sec_ota_pki_get_new_asset)(CFErrorRef* error);
472 uint64_t (*sec_ota_secexperiment_get_new_asset)(CFErrorRef* error);
473 CFDictionaryRef (*sec_ota_secexperiment_get_asset)(CFErrorRef* error);
474 CFDictionaryRef (*sec_ota_pki_copy_trusted_ct_logs)(CFErrorRef *error);
475 CFDictionaryRef (*sec_ota_pki_copy_ct_log_for_keyid)(CFDataRef keyID, CFErrorRef *error);
476 bool (*sec_trust_store_copy_all)(SecTrustStoreRef ts, CFArrayRef *trustStoreContents, CFErrorRef *error);
477 bool (*sec_trust_store_copy_usage_constraints)(SecTrustStoreRef ts, CFDataRef digest, CFArrayRef *usageConstraints, CFErrorRef *error);
478 bool (*sec_ocsp_cache_flush)(CFErrorRef *error);
479 bool (*sec_networking_analytics_report)(CFStringRef event_name, xpc_object_t tls_analytics_attributes, CFErrorRef *error);
480 bool (*sec_trust_store_set_ct_exceptions)(CFStringRef appID, CFDictionaryRef exceptions, CFErrorRef *error);
481 CFDictionaryRef (*sec_trust_store_copy_ct_exceptions)(CFStringRef appID, CFErrorRef *error);
482 #if TARGET_OS_IPHONE
483 bool (*sec_trust_increment_exception_reset_count)(CFErrorRef *error);
484 uint64_t (*sec_trust_get_exception_reset_count)(CFErrorRef *error);
485 #endif
486 };
487
488 extern struct trustd *gTrustd;
489
490 CFArrayRef SecAccessGroupsGetCurrent(void);
491
492 // TODO Rename me
493 CFStringRef SOSCCGetOperationDescription(enum SecXPCOperation op);
494 XPC_RETURNS_RETAINED xpc_object_t securityd_message_with_reply_sync(xpc_object_t message, CFErrorRef *error);
495 typedef void (^securityd_handler_t)(xpc_object_t reply, CFErrorRef error);
496 void securityd_message_with_reply_async(xpc_object_t message, dispatch_queue_t replyq,
497 securityd_handler_t handler);
498 XPC_RETURNS_RETAINED xpc_object_t securityd_create_message(enum SecXPCOperation op, CFErrorRef *error);
499 bool securityd_message_no_error(xpc_object_t message, CFErrorRef *error);
500
501
502 bool securityd_send_sync_and_do(enum SecXPCOperation op, CFErrorRef *error,
503 bool (^add_to_message)(xpc_object_t message, CFErrorRef* error),
504 bool (^handle_response)(xpc_object_t response, CFErrorRef* error));
505
506 void securityd_send_async_and_do(enum SecXPCOperation op, dispatch_queue_t replyq,
507 bool (^add_to_message)(xpc_object_t message, CFErrorRef* error),
508 securityd_handler_t handler);
509
510 // For testing only, never call this in a threaded program!
511 void SecServerSetTrustdMachServiceName(const char *name);
512
513 XPC_RETURNS_RETAINED xpc_endpoint_t _SecSecuritydCopyEndpoint(enum SecXPCOperation op, CFErrorRef *error);
514
515 #if __OBJC__
516 #import <Foundation/Foundation.h>
517 #import <Foundation/NSXPCConnection.h>
518 typedef void (^SecBoolNSErrorCallback) (bool, NSError*);
519
520 @protocol SecuritydXPCCallbackProtocol <NSObject>
521 - (void)callCallback: (bool) result error:(NSError*) error;
522 @end
523
524 @protocol SecuritydXPCProtocol <NSObject>
525 - (void) SecItemAddAndNotifyOnSync:(NSDictionary*) attributes
526 syncCallback:(id<SecuritydXPCCallbackProtocol>) callback
527 complete:(void (^) (NSDictionary* opDictResult, NSArray* opArrayResult, NSError* operror)) complete;
528
529 // For the given item (specified exactly by its hash (currently SHA1)), attempt to set the CloudKit 'current' pointer
530 // to point to the given item.
531 // This can fail if:
532 // 1. your knowledge of the old current item is out of date
533 // 2. either the new item or old item has changed (checked by hash)
534 // 3. If this device can't talk with CloudKit for any reason
535 - (void)secItemSetCurrentItemAcrossAllDevices:(NSData*)newItemPersistentRef
536 newCurrentItemHash:(NSData*)newItemSHA1
537 accessGroup:(NSString*)accessGroup
538 identifier:(NSString*)identifier
539 viewHint:(NSString*)viewHint
540 oldCurrentItemReference:(NSData*)oldCurrentItemPersistentRef
541 oldCurrentItemHash:(NSData*)oldItemSHA1
542 complete:(void (^) (NSError* operror)) complete;
543
544 // For the given access group and identifier, check the current local idea of the 'current' item
545 -(void)secItemFetchCurrentItemAcrossAllDevices:(NSString*)accessGroup
546 identifier:(NSString*)identifier
547 viewHint:(NSString*)viewHint
548 fetchCloudValue:(bool)fetchCloudValue
549 complete:(void (^) (NSData* persistentref, NSError* operror)) complete;
550
551
552 // For each item in the keychainClass, return a persistant reference and the digest of the value
553 // The digest is not stable, and can change any time, the only promise is that if the digest
554 // value didn't change, the item didn't change. If digest change, the value MIGHT have changed,/
555 // but it could also just have stayed the same.
556 // The this interface bypass SEP/AKS and for that reason is a higher performance then SecItemCopyMatching().
557 - (void) secItemDigest:(NSString *)keychainClass
558 accessGroup:(NSString *)accessGroup
559 complete:(void (^)(NSArray<NSDictionary *> *digest, NSError* error))complete;
560
561 // Delete the multi-user slice of persona uuid
562 //
563 // Should be done just before account volume is unmounted, will delete all this user's data unconditionally
564 // There is nothing stopping futher storage though.
565 - (void) secKeychainDeleteMultiuser:(NSData *)uuid
566 complete:(void (^)(bool status, NSError* error))complete;
567
568 // Go through the keychain to verify the backup infrastructure is present and valid.
569 // The completion handler's dictionary will contain a string with statistics about the class, error will be nil or
570 // complain about what went wrong during verification.
571 // Lightweight mode only checks consistency of the backup infrastructure without verifying all keychain items
572 - (void)secItemVerifyBackupIntegrity:(BOOL)lightweight
573 completion:(void (^)(NSDictionary<NSString*, NSString*>* resultsPerKeyclass, NSError* error))completion;
574
575 @end
576
577 // Call this to receive a proxy object conforming to SecuritydXPCProtocol that you can call methods on.
578 // It's probably a remote object for securityd/secd, but it might be in-process if you've configured it that way.
579 id<SecuritydXPCProtocol> SecuritydXPCProxyObject(void (^rpcErrorHandler)(NSError *));
580
581 // Set up a local securityxpcserver: after this call, all securitydxpc calls will be handled in-process instead of actually transferring to securityd
582 id<SecuritydXPCProtocol> SecCreateLocalSecuritydXPCServer(void) NS_RETURNS_RETAINED;
583
584 // Make a SecBoolNSErrorCallback block into an Objective-C object (for proxying across NSXPC)
585 @interface SecuritydXPCCallback : NSObject <SecuritydXPCCallbackProtocol> {
586 SecBoolNSErrorCallback _callback;
587 }
588 @property SecBoolNSErrorCallback callback;
589 - (instancetype)initWithCallback: (SecBoolNSErrorCallback) callback;
590 @end
591
592 @interface SecuritydXPCClient : NSObject {
593 NSXPCConnection* _connection;
594 }
595 @property NSXPCConnection* connection;
596
597 +(void)configureSecuritydXPCProtocol: (NSXPCInterface*) interface;
598 @end
599
600 #endif // OBJC
601
602 #endif /* _SECURITYD_CLIENT_H_ */
mirror of Security